1. Field of the Invention
The present invention relates to the field of communications security in data packet telecommunications networks.
2. Description of the Related Art
In the last two decades, cellular systems emerged as the new preferred way of communications among human beings. Such systems include Base Stations (BSs) that provide radio coverage for subscriber's Mobile Stations (MSs) within the boundaries of so-called radio cells, so that MSs can communicate among each other and with subscribers of Public Switched Telephone Networks (PSTNs), or further access various networks such as the Internet and/or intranets. Such communications are rendered possible using one or more packet switched nodes of the cellular system, which may in turn also be connected with a switching node of the PSTN and/or with a gateway to the Internet.
Cellular system evolved from their first generation (1G) when radio coverage was based on analog-type transmissions, to the second generation (2G) of cellular systems where the radio signals were transformed into a digital format before being relayed to the other participant to the call. This helped to improve both the quality of the transmitted voice signal and the radio spectrum efficiency of the cellular networks.
Nowadays, cellular systems have further evolved to the so-called 3rd Generation (3G) systems, where communications are performed in digital format from end-to-end of the communication path, in the form of data packets, over en entirely packet-switched telecommunications network. In 3G systems, data packet addressing is based on IP (Internet-Protocol) addresses. Typically, each data packet contains both the IP address of the packet sender and the IP address of the intended packet recipient, so that the packet can be properly routed along the data packet network and the Internet to its intended destination.
Data packets communications are more deficient in terms of security than the 1G and 2G communications. In 1G and 2G cellular systems, the communication paths were based on circuit-switched signaling and were dedicated, i.e. the communications channels were exclusively used by the participants to the particular voice or data communication. This is no longer the case in 3G systems, where the communications data packets are IP-based and thus inherit the IP traffic characteristics. For example, in 3G systems, IP data packets may take various paths from the sender to the receiver. Some communications may also involve the Internet and intermediate IP networks, which therefore adds all the known security risks associated with the Internet and the IP networks to the cellular telecommunications. This situation makes the 3G communications prone to security attacks of various types, such as for example but not limited to denial of service attacks, spam attacks, virus' worms, Trojan-type viruses, spyware, session hijacking and man-in-the-middle attacks.
Other security drawbacks are further associated with the present 3G cellular systems. For example, 3G subscribers make use of email and MMS (Multimedia Messaging System) communications, which may carry viruses alike the ones known in PC-based Internet email communications. Such viruses may infect the subscriber MSs, create hardware and/or software problems in the terminal by preventing normal operation and even generate traffic interruption, thus preventing the subscriber from using his MS, and reduce the telecom operator's revenues and reputation. Another weakness of existing 3G systems is that 3G subscribers are prone to receiving email or MMS spam, which create undue data traffic in the network.
To summarize, the impacts of such attacks on a given MS may lead to:                Downtime of mobile user;        Prevent the MS from normal use;        Tarnish telecom operators reputation;        Prevent user from making calls on 3G handsets, including 911 calls;        Loss of service, i.e. loss of revenue for the operators;        Deter users from using service as Internet access, resulting in a decrease of revenues for the operators;        Snooping of ongoing communications; and        Impersonation of users resulting from session hijacking.        
Conclusively, the telecom operators' current security solutions leave them open to a plethora of attacks all of which have different effects on both the mobile user and the network itself and fail to offer a security solution flexible enough to meet each of the mobile subscribers requirements.
Determinedly, today's Mobile Network Operators (MNOs) provide no adequate security for MS users. At best, a minimal protection is offered using Access Control Lists (ACL), which is applicable to Layers 3-4 only or State-full Packet Inspection, but does not inspect the content of the packets of prevent session hijacking, man-in-the-middle attacks, virus', spam, port scanning, and the like.
Today's MSs have no integrated security features such as firewall, anti-virus detection and spam filters or spyware detection mechanisms. Because 3G handsets are typically limited in terms of internal memory and processing capacity, at most a small and basic firewall protection can be implemented therein, though it can be cumbersome to configure, manage and update with the latest security features.
On the network side, telecom operators have at best installed a minimal security solution for insuring a perimeter defense security fence, such as a firewall on the network towards the Internet/Application Service Provider and on the borders of the site of their backbone network. However, this solution is not specifically tailored for meeting individual security needs of the different mobile users.
There are no current security solutions that offer a complete security suite for managing security for MSs and none that offer a tailorable security solution based on the MSs' requirements and/or subscription type.
Some limited security solutions are offered by some companies, which provide, for example, firewall solutions for some terminals. One such company is Bluefire Security Inc., which product called Mobile Firewall Plus™ offers a terminal-based firewall solution. However, this solution is only compatible with a few handset models, and therefore cannot offer a comprehensive security solution for an entire 3G cellular system. Furthermore, this limited solution is not customizable based on subscription type, profile of the MS subscriber and cannot be managed on a subscriber basis, nor can it be remotely managed by the MN and/or mobile network operator.
F-secure Inc. is a company that provides anti virus software for some mobile terminals as well as a network-based solution. Called F Secure Mobile Filter, this network-based solution is a content security filter for operator's value added services layer. It offers operator and service providers means for filtering content in order to block harmful software in the network before entering the mobile phones. Being a gateway solution, F-Secure Mobile Filter allows transparent protection for every device in the network with no software installed or needed in the mobile device protected.
None of these solutions respond to all of today's security needs of 3G subscribers. While today's subscribers do need security for their handsets, their level of required security may be different. In reality, mobile users have different security needs, which can depend for example of the user's age, social class, pre-paid vs post-paid account type, service categories, gender, personal interests and business/corporate needs. For example, it is easily contemplated that a male young-man of 25 years old may have a different security need on his handset than an 11 years old child, or that of a corporate user.
Mobile operators need to protect their revenue, which implies ensuring that subscribers' MSs are adequately protected. On the other hand, while insuring proper protection of subscribers' terminals, mobile operators also have to take into account subscribers preferences and particularities. However, at the present stage, mobile operators cannot provide granular security that takes into account mobile users preferences in order to provide a tailored level of security that meets the needs of the both the operators and subscribers.
Accordingly, it should be readily appreciated that in order to overcome the deficiencies and shortcomings of the existing solutions, it would be advantageous to have a method and system for effectively insuring granular security for mobile users of existing 3G cellular networks that can be tailored to suit MS users on a group or individual basis based on the subscribers needs. The present invention provides such a solution.